More Analysis: HummingBad Is NOT Just Shedun Redux

Written by

The HummingBad malware has sparked some back-and-forth in the security community about whether it’s a brand-new thing or just a variation of a known malicious family. Security firm ElevenPaths has done an analysis and says that HummingBad is, in fact, a distinct baddie rather than a version of the Shedun malware.

Check Point started things off and reported the malware as a new strain of Android mobile malware discovered this past February. HummingBad establishes a persistent rootkit on Android devices to generate fraudulent ad revenue, and installs additional fraudulent apps to increase the revenue stream for the fraudster. Check Point said that it was found to control 85 million devices globally, generating an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it, i.e., Yingmob, a group of Chinese cyber-criminals. Yingmob also happens to operate a legitimate ad network.

Related to this was Cheetah Mobile’s report on Hummer at the beginning of July, which it characterized as a newly found mobile trojan family that has quickly become the No. 1 Android malware in the world. As of the end of June, the average number of Hummer-infected phones stands at almost 2 billion, which is a larger install base than any other mobile phone trojan.

Hummer infected nearly 1.4 million devices per day during the first half of 2016, according to data collected by Cheetah Mobile Security Research Lab. In China alone, where it originated, there were up to 63,000 infections daily. But the Hummer trojan is spreading throughout the world, and India, Indonesia and Turkey now see the largest number of infections. Based on Cheetah Mobile’s estimation, if the virus developer were able to make $0.50 (the average paid for a new installation) every time the virus installed an application on a smartphone, the Hummer group would be able to make more than $500,000 daily.

HummingBad and Hummer, ElevenPath said, are actually the same thing: “We can easily confirm with Tacyt because, for example, it uses the same infrastructure and rooting file called right_core.apk, which is sometimes embedded and sometimes downloaded,” it said in a blog.

Lookout Software meanwhile came out last week and said that it believes HummingBad/Hummer to be another face of a particularly dangerous family of malware, known as Shedun. And, according to Lookout, detections of it spiked over 300% in March, and further spiked over 600% in the past month.

Lookout discovered and first reported Shedun last November. It’s a trojanized adware that roots Android devices, masquerading as legitimate apps such as Facebook, Twitter, WhatsApp and Okta’s enterprise single sign-on app. Three similar families are associated with Shedun: Shuanet, ShiftyBug and BrainTest. The firm said that it wanted to emphasize that, despite declarations to the contrary, HummingBad isn’t new.

“To make matters more confusing, different vendors have different names for Shedun,” Lookout noted in a blog. “You may have heard Shedun called HummingBad, Hummer, or ANDROIDOS_LIBSKIN, or right_core (the APK name). Recent reports on HummingBad raise alarms of a malicious and widespread family one of our competitors claims to have first discovered it in February 2016. This is the same as Shedun, which we discovered several months before then, in November 2015. This family is extremely malicious, but it is not new.”

However, ElevenPath agrees with Check Point and Cheetah Mobile on this one. It noted that there were some aggressive apps discovered on Google Play in early 2015 (Shedun, Ghost Push, Brain Test, Kemoge, etc.) that were supposedly different families of malware, but with the same idea about serving aggressive ads, rooting the devices, sending commands and installing new packages. Upon inspection though there were several similarities that indicate that these families are related, including domains, dates, permissions, names, certificates, resources and so on.

But HummingBad is different, it said.

“We determined that it uses a completely different infrastructure with little in common with our previous findings, even though it follows the same philosophy of rooting the device and silently installing apps,” the firm said. “For example, HummingBad uses mainly these domains: guangbom.com, hummerlauncher.com, hmapi.com, cscs100.com… They are not shared with previous Chinese families, except hmapi.com, which seems common place for adware and malware.”

A Check Point spokesperson told Infosecurity that there are big differences between Shedun and HummingBad:

1. They were created and are operated by two distinct groups and attributed to different authors;

2. They are communicating with completely different internet domains and exhibit drastic changes in how they are internally coded/constructed;

3. The two families have different roots in advertising activity in Google play, dating back to 2014 and 2015 respectively;

4. And, the two malware families are competing on market share dominance.

“Attribution is always a risky exercise for every researcher (including us), but we believe HummingBad is not an evolution but is instead another new, dangerous rooting malware that was developed alongside previous malwares,” ElevenPath concluded. “HummingBad is Hummer, but it does not seem to be Shedun/GhostPush/Brain Test itself.”

It added, “This is important, because it would mean cyber-criminals are learning from each other. It is not just the same group evolving its own product. That is scary, since they will most likely improve technically to gain market share when they have ‘competitors.’"

Photo © Maksim Kabakou

What’s hot on Infosecurity Magazine?